Potential Technical Changes to EDGAR Filer Access and Filer Account Management Processes

AGENCY:

Securities and Exchange Commission.

ACTION:

Request for comment.

SUMMARY:

The Securities and Exchange Commission (“Commission”) is requesting comment on potential technical changes related to how entities and individuals access the Commission's Electronic Data Gathering, Analysis, and Retrieval system (“EDGAR”) to make submissions, and how these entities and individuals (“filers”) manage the permissions of individuals who may file on EDGAR on their behalf. Individuals who seek to file on EDGAR on behalf of a filer would be directed to a third-party service provider to create individual user account credentials and to enable multifactor authentication. Each filer would designate a “filer administrator”—analogous to the current filer contact person who receives the filer's EDGAR access codes—to manage the permissions of the filer's individual users through a new filer management tool on EDGAR.

DATES:

Comments should be received on or before the later of: December 1, 2021, or November 4, 2021.

ADDRESSES:

Comments may be submitted by any of the following methods:

Electronic Comments

• Use the Commission's internet comment form ( http://www.sec.gov/rules/submitcomments.htm ); or

• Send an email to rule-comments@sec.gov. Please include File Number S7-12-21 on the subject line.

Paper Comments

• Send paper comments to Vanessa A. Countryman, Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549.

All submissions should refer to File Number S7-12-21. This file number should be included on the subject line if email is used. To help the Commission process and review comments more efficiently, please use only one method of submission. The Commission will post all submitted comments on our website ( http://www.sec.gov ). Typically, comments are also available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549, on official business days between the hours of 10 a.m. and 3 p.m. Operating conditions may limit access to the Commission's Public Reference Room. All comments received will be posted without change. Persons submitting comments are cautioned that the Commission does not redact or edit personal identifying information from comment submissions. Please submit only information that you wish to make available publicly.

FOR FURTHER INFORMATION CONTACT:

Rosemary Filou, Deputy Director and Chief Counsel; Daniel Chang, Senior Special Counsel; EDGAR Business Office, at 202-551-3900, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549.

SUPPLEMENTARY INFORMATION:

The Commission is seeking public comment on potential technical changes to the EDGAR access process that include the addition of individual user account credentials as well as a tool on EDGAR through which filers would manage their EDGAR accounts. During the comment period, the Commission will open an EDGAR “Beta” environment where pre-enrolled EDGAR filers may preview and test many of the potential access changes. The Commission plans to provide more information regarding the Beta environment for the potential technical changes and what functions can be tested in the Beta environment through an information page on SEC.gov .

I. Introduction and Background

Individuals and entities seek to access EDGAR to make electronic submissions with the Commission to comply with various provisions of the federal securities laws. Prospective EDGAR filers currently apply for access in accord with 17 CFR 232.10 (Rule 10 of Regulation S-T) by completing the online uniform application for EDGAR access codes (“Form ID”) on the EDGAR Filer Management website and submitting a notarized copy of that application signed by an authorized individual of the filer.

If the Form ID application is approved, the contact person listed on the Form ID receives an EDGAR account number unique to the filer known as a central index key (“CIK”), if needed, and information regarding EDGAR access codes. EDGAR access codes include the EDGAR password, central index key confirmation code (“CCC”), password modification authorization code (“PMAC”), and passphrase. Filings on EDGAR are not currently linked to a specific authorized individual, but rather associated with the CIK generally. Additionally, multifactor authentication is not presently available to validate individuals accessing EDGAR and simplify password retrieval.

The Commission is considering potential technical changes to the EDGAR filer access and filer account management processes (“potential access changes”) to enhance the security of EDGAR, improve the ability of filers to securely maintain access to their EDGAR accounts, facilitate the responsible management of EDGAR filer credentials, and simplify procedures for accessing EDGAR.

Individuals who seek to file on EDGAR would be directed to a third-party service provider to create individual user account credentials, including a unique username and password (“account credentials”), and to enable multifactor authentication. The filer would designate a “filer administrator” analogous to the current filer contact person who receives access codes. The filer administrator would manage the permissions of the filer's EDGAR “users”—individuals with account credentials authorized by the filer to make submissions on its behalf. A new EDGAR filer management tool would allow the filer administrator to add and remove users and filer administrators, elevate a user to filer administrator, and change a filer administrator to a user. This tool would assist filers in complying with their existing obligation to securely maintain access to their EDGAR account.

The filer management tool would be accessed through the EDGAR Filer Management website, which would be redesigned with a new layout and features. The new account credentials would be used to access the other two EDGAR websites—EDGAR Filing and EDGAR Online Forms; however, those websites would remain largely unchanged.

The potential access changes would eliminate the EDGAR password, PMAC, and passphrase. Users would make submissions by using the filer's CIK and CCC after logging in with their new account credentials. The potential access changes would enable the Commission to identify the unique user making each filing on EDGAR while allowing a filer administrator to manage the permissions of users authorized to make submissions on the filer's behalf.

In conjunction with this request for comment, the Commission will allow pre-enrolled filers to access an EDGAR Beta environment, where filers will be able to preview and test many of the potential access changes. As with any change to EDGAR code, the potential access changes to EDGAR may affect custom code that filers have created in their systems to interact with EDGAR. The Beta environment generally should allow filers to determine what changes would be needed to their custom code to accommodate the potential access changes and to provide targeted technical feedback to the Commission about the potential access changes. The Commission currently anticipates that the Beta environment will be available in October 2021. All filers will be eligible to enroll to participate in the EDGAR Beta environment, which may be made available for future EDGAR changes. The Commission will provide more information regarding the Beta environment for the potential access changes and what functions can be tested in the Beta environment through an information page on SEC.gov .

We have established an information page explaining the potential access changes on the EDGAR—Information for Filers web page on SEC.gov , leveraging the recently introduced EDGAR—How Do I guide for filers, and providing additional filer assistance such as in-context help, live webinars, and on-demand how-to videos. Our goal is to make the transition as easy as possible for filers. We will also provide a help desk devoted to assisting filers with the potential access changes.

If the potential access changes are implemented, the Commission anticipates that it would adopt amendments to certain Commission rules and forms to reflect the potential access changes. The corresponding amendments would include changes to Rule 10 of Regulation S-T, Form ID and associated rules, and the EDGAR Filer Manual, which is incorporated by reference in the Code of Federal Regulations by Rule 301 of Regulation S-T.

We would expect to implement a phased transition of existing filers to the potential access changes, as discussed below, to make the transition a user-friendly experience for filers.

II. Discussion

We are considering potential technical changes to the method by which filers access EDGAR to make submissions and manage their EDGAR accounts.

A. Individual Account Credentials

Under the potential access changes, each individual seeking to make submissions on EDGAR on behalf of a filer would be required to obtain individual account credentials from a third-party service provider. The Commission is considering using as the third-party service provider Login.gov , an official website of the U.S. Government that provides a sign-in service for use by the public and Federal agencies. When an individual creates account credentials with the third-party service provider, the individual would be prompted to provide an email address and select an authentication option. After the individual confirms the email address and completes the authentication, the third-party service provider would assign the individual unique account credentials.

Multifactor authentication adds a layer of validation each time an individual signs in to EDGAR. For example, if the telephone authentication option is selected, the individual would enter a one-time passcode received by text message/SMS or from a telephone call to the provided telephone number each time the individual logs in to a filer's EDGAR account. Multifactor authentication would be used only for purposes of validation, and individuals would be reminded on EDGAR to provide only a business email account and relevant business information when creating account credentials. EDGAR would no longer employ the EDGAR password, PMAC, and passphrase codes.

If the individual enters their account credentials and successfully completes the multifactor authentication process, the individual would be able to access the EDGAR Filer Management website. To make submissions on behalf of a certain filer on the three EDGAR filing websites, however, individuals would also need to be authorized as a user by the relevant filer administrator.

B. Filer Administrators

As part of the changes we are considering, a filer would designate which of its users would act as filer administrator(s) to manage the filer's EDGAR account, analogous to the contact person who currently receives access codes. A filing entity would be required to designate at least two filer administrators. Employees at filing entities often change; therefore, designating two filer administrators would increase the chances that management of the filer's EDGAR account would be uninterrupted. For individual filers, one filer administrator would be required. Both filing entities and individual filers would be permitted to have additional filer administrators.

Under the potential access changes, prospective filers would designate their filer administrator during the initial Form ID application process while existing filers would enroll their filer administrators during a transition period. EDGAR would contain a link to the third-party service provider's website, where the prospective filer administrator could obtain account credentials. After the prospective filer administrator obtains account credentials, the prospective filer administrator would be automatically redirected to the EDGAR Filer Management website to access the Form ID application. We would permit a third party to be a filer administrator if the third party submits a Form ID listing the third party as filer administrator and includes a notarized power of attorney from an authorized individual of the filer that grants authority to the third party.

The filer administrator would replace the current filer contact person to manage the filer's access to EDGAR. As described in more detail below, the filer administrator would manage and confirm the permissions of users through the new filer management tool. All filer administrators would be able to manage and confirm permissions of users regardless of whether they are listed on the Form ID or added as filer administrators through the filer management tool.

On the Form ID, prospective filers would include the names and business contact information of two filer administrators for filing entities or one filer administrator for individual filers. The prospective filer would then electronically submit the Form ID and upload a notarized copy of the Form ID signed by an authorized individual of the prospective filer, as currently required.

If the Form ID application is approved, EDGAR would provide the filer administrator with a CCC code and a link to the EDGAR Filer Management website, similar to the current process. The filer administrator could then access the filer's account and the filer management tool by logging onto the EDGAR Filer Management website with the filer administrator's account credentials.

The Commission would require existing filers to transition to the potential access process. Each existing filer would designate an individual to function as filer administrator. The filer administrator for the existing filer would obtain account credentials through the third-party service provider; log in to a transition page in EDGAR; and enter the filer's CIK, CCC, EDGAR password, and passphrase. Once existing filers transition to the potential access changes, they will no longer be able to use the current login method. Existing filers that do not have active EDGAR access codes would be required to complete a new Form ID to reapply for access.

C. Filer Management Tool and Annual Confirmation of Permissions

The potential access changes would include a new filer management tool on the EDGAR Filer Management website where a filer administrator, acting on behalf of the filer, could view, add, remove, and confirm users. The filer administrator could also change the permissions of a user to filer administrator and vice versa. Further, on the filer management tool, filer administrators could delegate filing authority to third parties—such as filing agents—and remove such delegations. Thus, the filer management tool would allow filer administrators to view and manage the permissions of all of the filer's users.

Once the filer administrator adds a user on the filer management tool, that user would have access to the EDGAR filing websites when the user obtains account credentials and logs in to the websites. Unlike the filer administrator, a user could only view the user's permissions on the filer management tool, not those of the filer administrator or other users; and the only action the user could take on the tool would be to remove their own ability to file on behalf of the filer.

Filer administrators and users included on the filer management tool would be able to make submissions, submit correspondence, and manage certain filer information.

Filers are currently required to change their EDGAR password annually (a filer's EDGAR password expires 12 months after it was created or last changed), or have their access deactivated. Because the potential access changes would eliminate the EDGAR password, an annual confirmation of permissions on the filer management tool would replace the present requirement to change the EDGAR password annually.

EDGAR would notify filer administrators to access the EDGAR Filer Management website to review the list of the filer's users, including other filer administrators, and annually confirm on the filer management tool the accuracy of the permissions of those authorized to file on behalf of the filer. EDGAR would also notify each user to confirm annually the user's permissions. The annual confirmation of permissions would help the filer remain aware of who makes submissions on EDGAR on its behalf and provide an opportunity to update information about users no longer associated with the filer or no longer authorized to file on its behalf.

Filers are currently deactivated if they do not timely change their EDGAR password on an annual basis, and, under the potential access changes, if no filer administrator timely confirms permissions for a filer, that filer would be deactivated. The deactivated filer would have to resubmit a Form ID application; if approved, staff would reactivate the permissions of the filer administrator(s) listed on the Form ID application. The filer administrator could then reactivate other filer administrators and users using the filer management tool. Where filer administrators or users become deactivated because they have not confirmed their own permissions, other filer administrators could reactivate those users and filer administrators using the filer management tool.

D. Transition Period

There are approximately 180,000 EDGAR filer accounts in which a filing has been made in the last two years, approximately 115,000 of which represent filing entities and approximately 65,000 of which represent individual filers. If the potential access changes are implemented, the Commission would require filers to transition these accounts to the potential access process on a gradual basis over a six month period, likely beginning in spring 2022. During the transition period, existing accounts could access EDGAR through the current process until they transition to the potential access changes.

After all active accounts have transitioned, the Commission would address the transition of an additional approximately 600,000 inactive EDGAR filer accounts to the potential access changes. The Commission would inform filers of its plans regarding inactive accounts before it proceeds with those plans.

III. Questions

The Commission is providing an opportunity for the EDGAR filing community and other interested parties to provide feedback on the potential technical changes to the EDGAR filer access and account management processes. The Commission welcomes input on the following:

1. Does the filing community have experience with obtaining account credentials from third-party service providers including or similar to Login.gov that the Commission should consider? If so, which third-party service party service providers, and what experience? Would the use of third-party service providers give rise to any security concerns for individual or entity filers?

2. Under the potential access changes, there would need to be at least two filer administrators for filing entities and one filer administrator for individual filers; filers could designate as many filer administrators as they would like. Is this appropriate? If not, why? Should filing entities be required to have more than two filer administrators? For filing entities, would one filer administrator be adequate? Should individual filers be required to have more than one filer administrator? If so, why? Should there be a limit on the number of filer administrators?

3. With the filer management tool, the filer administrator could view, add, remove, and confirm users and other filer administrators as well as change the permissions of a user to administrator and vice-versa. Users could similarly use the tool to view and remove their own permissions. In addition, both filer administrators and users would use the filer management tool to confirm current permissions on an annual basis. Are there other functions that should be incorporated into the filer management tool or any other information that administrators or users should be able to view? Should any of these functions not be included on the filer management tool?

4. With the filer management tool, the filer administrator could delegate filing authority to third parties such as filing agents and remove such delegations. Should filer administrators be able to delegate filing authority to third parties and remove such delegations? Do commenters have any concerns with this function or any suggested modifications? Should “filing agents” be limited to entities listed in EDGAR as “filing agents” based on their Form ID filing or should it also include entities that function as filing agents but who identified themselves on their Form ID filing as “filer?”

5. Are there alternatives to the filer management tool that the Commission should consider? For example, are there alternative methods that would enable filers to take the same actions as they would using the filer management tool that would be easier to implement or more user-friendly? Do commenters have experience with alternatives to the filer management tool, whether positive or negative, that the Commission should consider?

6. Filer administrators and users would confirm their access permissions annually. The annual confirmation of permissions would help the filer remain aware of who makes submissions on EDGAR on its behalf. Should the confirmation be annual or at more or less frequent intervals? Are there concerns that the Commission should be aware of for filers that only make submissions annually or less frequently? Should both filer administrators and users confirm permissions annually, or only filer administrators? Should the requirement to apply for access again occur automatically upon failure by a filer to confirm the access permissions or should there be a grace period if the filer administrator fails to confirm the access permissions within a specified time period? If there should be a grace period, how long should it be? Would the annual confirmation create any additional burden on filers or filing agents compared to the current annual EDGAR password update requirement? If so, are there any improvements to the annual confirmation as currently described that would reduce the burden for filers or filing agents?

7. Would the potential access changes facilitate the responsible management of EDGAR filer credentials? Are there additional changes to the access process that we should make to encourage such responsible management? For example, should administrators be required to update their account permissions within a reasonable period of time following the separation of employment of a user from the filer or a change in the user's filing responsibilities? Would the potential access changes create any undue burdens for filers or filing agents? If so, how could the potential access changes be modified to ease such burdens? Are there any other concerns that the Commission should be aware of with the transition to the potential access changes?

8. Are there any issues specific to certain types of filers that should be considered with regard to the potential access changes? For example, asset-backed securities (ABS) issuers often create one or more serial companies each year, each of which is a separate legal entity with its own CIK, even though it generally has the same contact information as the ABS issuer. If the potential technical changes are implemented, should new serial companies have their user and filer administrator information automatically copied from the ABS issuer's user and filer administrator information? If so, in order to ensure that the ABS issuer has user and filer administrator information that could be copied to the new serial company, would there be any issues associated with requiring ABS issuers to have transitioned to Login.gov before the ABS issuer can create new serial companies? Separately, should we allow the annual confirmations of users and filer administrators for an ABS issuer to also apply to the serial companies associated with that ABS issuer, if the same users and filer administrators were associated with each serial company?

9. How long would it take existing filers to adjust to the potential access changes? Should we transition existing active accounts to the potential access changes on a gradual basis over a several month period, possibly beginning in spring 2022? If so, how? For example, should the transition period be tiered based on the volume of filings made by a filer or a filing agent on an annual basis? Should another method be used? What is an appropriate length of time for the transition period?

10. What other changes to the EDGAR filer access and account management processes should the Commission consider in the future?

IV. General Request for Public Comment

We request and encourage any interested person to submit comments on any aspect of the potential technical changes to the EDGAR filer access and filer account management processes, and suggestions for additional changes. In particular, we request comment on obtaining and using third-party service provider account credentials to access EDGAR, the filer administrator managing the permissions of users associated with the filer's EDGAR account, and the filer management tool. Comments are of particular assistance if accompanied by analysis of the issues addressed in those comments and any data that may support the analysis. We urge commenters to be as specific as possible.